Almost 20 retail, education, and hospitality organizations in the Americas and Europe have been breached by the UNC6040 threat group in attacks involving a trojanized version of Salesforce's Data Loader tool since January, The Register reports.
Attackers masquerading as IT support staff conducted voice phishing that lured targeted entities' employees into opening the Salesforce connect setup page and linking their Salesforce environment with the malicious Data Loader tool, an analysis from Google's Threat Intelligence Group showed. Initial exfiltration of organizational Salesforce data was followed by lateral movement to other platforms within the network, including Microsoft 365 and Okta, with researchers suggesting that UNC6040 may have been collaborating with another threat operation monetizing stolen data access. Additional findings also showed that UNC6040 overlapped with global threat collective The Com, which counts Scattered Spider among its members. "However, UNC6040 appears to be distinct from UNC3944, which overlaps with a subset of Scattered Spider activity," said GTIG principal threat analyst Austin Larsen. Meanwhile, Salesforce emphasized the presence of "enterprise-grade security" in its platform in the wake of the findings.
Attackers masquerading as IT support staff conducted voice phishing that lured targeted entities' employees into opening the Salesforce connect setup page and linking their Salesforce environment with the malicious Data Loader tool, an analysis from Google's Threat Intelligence Group showed. Initial exfiltration of organizational Salesforce data was followed by lateral movement to other platforms within the network, including Microsoft 365 and Okta, with researchers suggesting that UNC6040 may have been collaborating with another threat operation monetizing stolen data access. Additional findings also showed that UNC6040 overlapped with global threat collective The Com, which counts Scattered Spider among its members. "However, UNC6040 appears to be distinct from UNC3944, which overlaps with a subset of Scattered Spider activity," said GTIG principal threat analyst Austin Larsen. Meanwhile, Salesforce emphasized the presence of "enterprise-grade security" in its platform in the wake of the findings.
